Most modern data processing systems include some mechanism to control system access, and further to control access to the various resources available within the system. Generally, a user gains access to a system by supplying a user identification (“userid”) and password. This information is compared against previously stored authorization information, and if a favorable compare occurs, the user is granted access to the system.
Once the user has gained system access, other types of access control mechanisms are used to limit the types of operations the user may perform. In many systems, the types of operations a user may perform are generally associated with a user's role with respect to the data processing system. For example, a system administrator may be granted the right to back up and restore files, perform security tasks, or engage in tasks that produce system-wide changes. The right to perform these types of operations is controlled by assigning each user a set of “system privileges”.
Another type of control mechanism is generally provided to control the types of files, directories, and other resources a user may access. This type of control mechanism involves the assignment of “access rights” that allow a user to perform certain operations on a resource. For example, such access rights may be granted to allow a user to read from, and write to, a file. A user may also be allowed to create or delete a file. Other types of access rights may include executing or launching a program.
Prior art systems generally control the granting of access rights by creating groups of users. Each group associates one or more users with a common set of access rights. A group is then associated with one or more system resources such as files. In this manner, the users in a group are allowed to access the system resources that have been associated with the group. This access is provided according to the common set of access rights specified by group.
The creation of groups simplifies some of the tasks associated with managing access to files, directories, and other resources, since multiple users can be treated as a single unit for purposes of granting access rights. However, inefficiencies exist within this prior art system. For example, a group is generally associated with a resource such as a file by updating the file to include some type of data that identifies the group. A file may store hundreds of such identifiers, each identifying a corresponding group. This increases the size of the file, and creates administrative inefficiencies. Every time a new group of users is created, each file that is to be associated with this new group must be updated to include the group identifier. The same is also true when a group is deleted. Because large data processing systems store thousands, if not millions, of files, maintaining a system that is current may become a daunting management task. This process is further complicated in systems having a large number of users, many having access rights that are often changing.
Another problem associated with the prior art system involves the fact that a group is used to assign both access rights and system privileges to the users that are members of the group. Thus, even though a large number of users share a common set of access rights, these users cannot be members of the same group if they do not also share a common set of privileges. This greatly increases the number of groups that must be created, increasing system overhead, and also consuming storage space.
An improvement to the foregoing system creates groups of users that are assigned a common set of access rights, but are not assigned system privileges. The system privileges are instead assigned directly to the users themselves. In this manner, users may be grouped in a manner that does not take into consideration the privileges. This allows for the creation of fewer groups, making group management more efficient. However, this approach does not address inefficiencies that exist when associating system resources to the groups of users.
What is needed, therefore, is an improved system and method for managing system privileges and access rights within a data processing system.